Month October 2015

GPS systems represent an interesting part of CPS deployments. From tiny GPS chips that can track a phone or a person (without their knowing it) to systems installed in boats, airplanes and cars GPS has taken over the directions we get. It is however a distributed system producing expected and consistent results. When a phone or GPS system fails we blame the system.

Many of the things that have embraced the internet are things we rely on. The digital data component of our cellular devices is something we rely on. Have you recently checked your email on your hand held device. So why talking GPS today? Well frankly it is possible to spoof a GPS signal. GPS is all about signal strengthen and you could if you wanted to overload the signal by retroacting a GPS signal in an implied manner.

There is no checksum in a GPS signal. To date no one has done this but you could. Redirecting someone someplace they don’t want to be. Holding their location hostage until they pay for you to release their GPS. Security within CPS is critical. both IT and OT. (Information technology and operational technology). How and what we secure is important.

I’ve talked before about the big issues, the bridges of CPS going forward. Access, Data, Power, Bandwidth are all components of CPS that will ultimately determine the slope of implementation. IoT a marketing term that was coined a few years ago talks about devices that connect to the internet. There are more components of CPS than just IoT. Device to Device to Device remains a piece. CPS is the layer of intelligence between the device and the user. It is also the monitoring of the IoT devices and management of those devices as well.

I have a friend whose favorite saying is “I don’t have to outrun the bear, I just have to outrun you.” That really applies to CPS and the reality of security. I don’t have to be secure, just more secure than the 20 phones or devices next to me. Its why I keep pounding on the concept of standards for personal and home private cloud security. Easy to implement security that gets most people to “minimally secure” rather than their current state of Maximum Exposure.

Tomorrow, that device you love will be at your place of work. The home private cloud you connect to and the personal cloud around you comes into your place of business or the organization where you work. You, without meaning to, just invited a person with bad intentions into your place of work. OT and IT Security teams have to defend against attacks. They once defended the exterior of your organization with Firewalls and layers of security. It was called a tootsie pop (hard exterior, soft interior). But now that soft interior is sitting in the coffee shop across the street. That soft interior is being fed information by thousands of devices. Sun Tzu wrote know your enemy but also know your field of battle. When you friend is sitting in the pocket of someone 2000 miles away from the core security systems you’ve built to protect the information of your organization what happens next? If you time the device out to protect the data you could cost your company sales. Losing sales slowly runs you out of business. If you lose the information you can also lose your business (your competitive advantage leaking out of an android device hacked at 30,000 feet because someone didn’t switch to airplane mode in an airplane).

The enemy was never in front of IT Security, but they could once at least control where the enemy attacked. Now the field of battle has changed and the pencil sharpener your new neighbor gave you could be a listening device. The prize you won (for those of you who love the works of Jean Shepard a Lady’s Leg Lamp) that you brought into the office could actually be a Trojan horse, literally. Seeking open we-fi or Bluetooth connections to take control.

As the field of battle expands its time to at least control as many variables as we can. Its time for a personal cloud security standard. A minimum for what security exists in your personal cloud. Its time for a home private cloud security standard as well. Better security at your cable model or fiber optic network connection. Better security on your devices by default. Yes security can slow you down. But being out of work because your company can’t keep its secrets is a lot worse.

(With apologies to John Kennedy). With the image on the left I am not comparing CPS or the data produced by CPS devices to the devastation that is a flood. I am simply equating the data to the end result of a flood where land normally dry has water sitting on it. More data than the system can handle.

So the first thing is a clear standard for what a CPS device really is. NIST published a recent draft framework that is pretty good. The EU also has a framework (focused on IoT, CPS is a NIST term).. The concept leads to three things:

How devices communicate.

How devices are secured.

What happens to the data produced by a device.

In my professional assessment there are two more considerations, the power consumed and the bandwidth available for CPS devices.

I prefer to break bandwidth into two distinct buckets when I consider CPS’s impact on Bandwidth. That comes from the long years I’ve spent chasing connectivity.

Bandwidth from the CPS device to the recording or storing system.

Bandwidth from the reporting system to the receiving device.

Basically we have system. The inputs are the CPS devices that are sprinkled around the world. That sprinkle (10 billion devices in 2015) will become a dollop very soon (46 billion devices by 2020). The business rules are how we secure the data, how we secure the devices, how we modify or present the data collected and how we manage where that data is. The outputs can be your cellular device, a web page or reporting page or other more formalized applications (Mainframe or Client Server based).

Systems can operate in a loop. I talk to the same device every day with the same device. The device sends information. The receiving device confirms and waits for the next time the first device sends the information again. A loop. The loop can be closed by physical or cyber security, or simply by a direct connection between the device and the receiving system.

The system can also be broadcast. The device sends information to a large number of receivers. Weather data and stock data fit this model, broadcast from a device to millions of other devices.

The limit becomes the bandwidth of the device. So you tailor information for devices. The same is true going forward for Smart Devices in the CPS world. That device needs to know how much bandwidth is available for the information it has. There are CPS sensors that really don’t to fail in terms of information provision. Volcano eruptions, earthquakes, Tidal waves, radiation leaks well you get the idea we really want those sensors to work real time.

So we build business rules in between the inputs and the outputs to manage the presentation of data. What device is this going to. What is the screen size of the derive or where am I presenting the data. What is the available bandwidth. I got back to my tongue in cheek example. The open personhole cover warning system. Data relevant to public safety has to be able to stomp all over any other data. IE even if you are on the phone with grandma you have to give a little bandwidth for high priority information (the personhole cover 2 feet in front of you IS OPEN!).

Personally I think the cool reality that is possible and that I have talked about before is the creation of CPS brokers. A cloud broker solution that allows a group of companies to come together in a community broker. Where the aggrade services offered by the broker isn’t just cloud service providers. Its common CPS devices and common services beyond that (I called it the copyrighted term Broker Marketplace).

I have a good friend who hates the term Big Data. She always says its not the size of the data but the analytics that matter. I agree with her. Large data sets are more driven by the ability to analyze the information than by the actual size of the data. As we head down the CPS path there are additional things to think about in terms of data. Data has a time to live. I made my joke a couple of days ago about the open manhole cover warning system. Really good information to have as you walk along the sidewalk on your way to work. Not information that does you any good as you are falling into an open manhole cover on your way to work.

The when you get data is critical. Two seconds after you hit the bottom of the manhole with a broken leg the data is useless. (its sexist by the way to assume only men should go into sewers, lets change the name to personhole). Data that is too large for your device to consume is also not relevant. A map with all the open personhole covers in a city on your phone is useless if you are 1 foot in front of a currently open personhole.

The legendary interview question why are all manhole covers round. The answer – they aren’t. Data is time driven it is also device driven. Both the producing device (CPS or other) and the receiving device (laptop, mainframe, desktop, cellular phone, server, bank of servers, cloud provider). The reality of the data as much when it needs to be consumed as well as where it needs to be consumed.

CPS devices today (2015) produce around 110 zB of data. Where z represents Zeta. A zeta byte represents 1000 Petabytes of data (pB). It’s a lot of information. Some of it can be quickly discarded (you only need the video feed relevant to the problem, the rest of the feed can be discarded). But that is today, October 2015.

A little over two years ago a number of interesting campaigns started on Kickstarter and Indiegogo. This image is of the Bubl camera. 3d camera in fact. It very quickly lets you render a 3d image of any space you place the camera. It’s a lot more data than you produce with even a high end DSLR. It also adds an interesting twist to the data you collect, parse and use. If you get a chance to get one, I highly recommend it.

The data collected is changing. The presentation mode of the data is changing as well. Where you consume and how you consume data is radically different in just the last 10 years. The birth of BYOD changes how data is presented. The flexibility to work remotely or at the local coffee shop makes anywhere a work place (don’t get me started on the overall security threat that represents). Data now adds a third dimension that device specific actionable. An excel spreadsheet sent to me while I am wandering around with my iPhone as my primary connection isn’t a good use of my time, your time or the data and frnakly my device. A smart device system would notify the sender that in fact the user was on their cell phone and would not be able to interact with the information.

My friend who has long been ahead of the data importance curve was right. Its not big data. Big implies size. Its smart device data and analytics.

The concept of connections is interesting. First off consider what a connection. Consider how and why you connect and who you connect to. Before there was a Facebook, did the concept of casual contacts support knowing what those casual contacts were actually doing from time to time? People that don’t always know but are connected to because of social media? Not that it is a tenuous connection rather it is light connection.

Social media created the concept of friends, acquaintances and loosely those that are members of a group. The act of connection expanding your world. Now it is a good thing, I have reconnected with people on social media that I hadn’t seen in a long time. You know how good it feels to find people that knew you when.

Two really quick things that make me wonder. Why does Facebook have an upper limit on the number of people you can know? Where the professional network (Linkedin) does not?

The phrase we met on social media plays differently now than it did as recently as ten years ago. As those networks launched they were at the time a young persons game. Now they have moved to a broader audience.

We can argue that you can on those sites share too much. Information that you should keep to yourself gets pushed out. Like the simple self protections of NEVER SAYING I AM NO VACATION until after you are home. Why invite someone who is trolling social media to find people that aren’t home to break into your now empty house. Of course my house is never empty. The dogs fill the whole bloody space (ever try to share a couch with two Labradors? It isn’t physically possible).

Yes you can share things you shouldn’t share but too much is an interesting question. If someone is struck by what you shared even if it is probably close to too much information is that valuable? Depends. Personally I think if I see one more picture of a meal shared on Facebook I am going to start unfriending people. Really while I certainly appreciate a good meal, 23 photos of the last 23 things you ate and nothing else is well too much information.

The balance of information, some personal, some interesting and a couple of pictures of dinner is the right balance. Keeping in touch with people you don’t see as often is the value. Adding people you haven’t seen in years is the service the social media sites provide.

That got me thinking about guidelines for Social Media sharing. We should probably start building some. Just simple rules that don’t announce to the world that we are venerable.

Never publish that you are on vacation while you are on vacation. The wonder and joy of family vacations are best shared after you are home.

Pictures should be shared, but carefully. Having a picture doesn’t mean you should share it. Of course the other side is true having a picture means you should think abbot sharing it.

Once posted it is real. Any thought you share with the world via email, posting, blogging or otherwise is real and permanent. Remember that when you are offended by something. Because the email/post/reply/comment/blog you send can offend as well.

Oh brave new world to have media such as social in it. We can share everything (so we need rules!!!!) with those we know. Just remember everything you say can and will be held against you.

You can have 7 active Bluetooth connections on your device. Plus 240 give or take sleeping devices that are not actively connected. Now, there is a priority issue as far as the overall connectivity of Bluetooth. Some connections like car connections take control of the cellular phone. Toyota has released a new application where you can connect not only to the diagnostics of your car, but also use your iPhone as an internet radio. It’s a two way connection that provides not only interaction with the car, but also the phone from a central drivers screen.

HUD’s are coming as well. There are a heads up displays that allow you as the driver to interact with your phone while watching the road. More and more cars are also adding blind spot radar, notifying you of things coming behind you that you can’t see. Your car at this point is an CPS (IoT) system.

In fact there are a number of unique systems your cellular device will interact with (hence starting with the maximum active connections). Over time your car will become a system. Based on my discussion awhile ago (continuation) your car will need to be able to pass information from the drive home to your home or office systems. It will connect to our home system and that is where integration occurs. There are any number of systems in a car. There are any number of systems in your home. The concept is a System, presenting itself with systems underneath that or a System of Systems.

In my continuation spiel I talked about having the intelligence in the device to understand transitions. There is also as I talked about yesterday in my home private cloud security standards, a need for simplicity in home security for that home system. The overall solution we are talking about requires standards. The what and why of that is revealed by cellular phones. In the early years of the cell phone there were two distinct formats. Those two systems and had points of connection but they were less integrated than they could have been. Over time that integration has been retrofitted into the overall system. With 10 billion IoT devices in the overall CPS system, we need integration standards now before the remaining 30 billion devices coming in the next five years are deployed.

So to bring this back to the original thought, 7 active connections. Car, smart watch, headset makes 3. That leaves 4 connections. Integration tells me that we can easily use those. As long as the various devices play nice. Systems have to release devices. If a device uses Wi-Fi things change. Today the interaction with Wi-Fi connected devices is via an application. Then we are only bound by the processor and memory of the device we are using as to how many active connections we can have. This is where home automation systems begin to offer a single unfired management interact for the System of Systems (SoS) that is your home. As I said before Toyota is already heading down that path (as is Mercedes, Lexus, Tesla, Jaguar and others). Connecting two Systems of Systems (SoS) requires clear integration standards. A huge piece of the overall integration standard has to be a crisp handoff. Continuation is the concept, handoff is the critical piece.

Security vs. information. It would seem to becoming a tug of war. More and more access to the information that is needed to do people’s jobs. More and more information available. More and more places you can access that information. More and more risk for the IT Security team.

The same is true for home users and home automation systems. There is a tug of war between what is possible and the risk possible brings. Where the enterprise IT Security team has people thinking about the risks of security for the organization, there isn’t as much energy devoted to home security. Partially because to date there haven’t been IT systems sitting in peoples homes. There won’t most likely be either. Your company laptop carries the corporate security on it, so they don’t have to worry about your home network.

The conflict is there however. First off do you have anything on your home network that someone would want. Or do you have something in your home of value? For the most part hackers want to attack electronic information. But if your home security system can be easily disabled then physical objects can also be at risk. For the most part though we are talking about digital objects. Obviously back up are critical. But what digital objects do you have in your home today?

What is at risk if your home is compromised?

First off this is not meant to be an alarmist blog – scaring people into pulling everything digital off their home network. It is instead a recognition that the market has changed. That the concept of private clouds have three distinct flavors now that are unique and different.

Home Private Cloud: What you have deployed in your home, even if it is just a single computer.

Managed Private Cloud: This is a VPC (virtual private cloud) or PPC (physical private cloud) provided by a vendor and not on your companies property.

Private Cloud: as defined today, an on premise implementation of computing resources.

The problem is the first private cloud, home. There needs to be structured security standards around the concept of home private clouds. Those standards have to be easy to implement and reasonably hard to crack. Personally I think this is a massive market for the companies that offer home security and one they are missing. The Brinks, ADT and other security companies can offer you a managed home network security package. Where the centralized security they offer can be managed by network professionals. They add the cost (say $2 per month) to your existing home security system bill. This gives us step one, centralized initial security. The other thing, is a centralized home security box that is network aware. Managed by the remote security company, a box that smart devices know exists and they request tokens from the box (Kerberos works this way). That way your home security has a level of easy to manage device security.

Complexity and home security won’t work. People don’t like complexity. Our goal when we come home at night is to relax and read, watch TV, make dinner not to worry about remote hackers attacking the family photo store.

Cyber Physical Systems (CPS) or the common moniker the Internet of Things (IoT) represents a change. The graphic on the left talks about the connections and the devices you connect together.

The points of connection are intriguing. If you wander Kickstarter or Indiegogo, you will find the IoT of amazing. Derives that offer connections galore. Now, I have and continue to argue that in fact the private cloud that is represented by all the CPS devices in your home needs to be codified. The reason for my constant rut following is that home private clouds need to have “pre” or “automated” security rules installed.

Now we are not talking massive security rules that have to be managed. Rather, I am talking about automated security to protect the home systems for the most part. Reality is if a hacker really wants into your home, he or she will get in. What you are trying to do is keep the majority of people out. It needs to be simple, automated and structured so that it can update itself from a secure system without you having to see, touch or for that matter even understand the security system.

The concept of a secure home will become more and more critical. Assuming the analysts are right (or even in the ball park) the average person throughout the world will have between 6-7 IoT devices connected to them. That means a family of 4 will have between 34 and 28 devices in the home. I suspect that number is low (again search for IoT devices on Kickstarter and Indiegogo there are more than 7 types alone right now).

Personal presence devices alone will probably add two or three devices in every home. From a security perspective there will need to be security around the personal presence devices, stalkers could well become more intrusive by controlling those devices in your home. They are convent. But they do pose a threat.

So, home private cloud and set security structures. A standard that will allow some peace of mind. It won’t solve the reality of bad people doing bad things. But at least we can control and limit the impact of what bad people can do.

As my grandfather once said about the television. When the news is bad you can always turn it off. You can always remove the battery from a CPS device and have it remain powered off. There is no better security than a device that cannot be accessed. Of course the value of a device that is turned off is a lot less!